56. Security Recommendations for CloverDX Server
To improve security of CloverDX Server, you should:
-
Change the default password for clover user. Without changing the password, everybody would be able to log in as clover. See Change Users Password.
-
Create a user different from clover and add it to the admin group. If there are more administrators, create a user account for each. See Users.
-
Set the master password. Without the master password, you cannot use secure parameters. See Secure Parameters.
-
Run CloverDX Server with privileges of an ordinary user, e.g. create a system account
clover
used only for running CloverDX Server. Do not run CloverDX Server under the root account. -
The communication with a system database may be unencrypted. Consider encrypting the connection to system database too.
-
If a database provides you with a root/admin account, do not use this account for CloverDX Server. Create a separate database user account, e.g. clover.
-
Run CloverDX Server on HTTPS. If you communicate over HTTP, your data is sent unencrypted and eavesdroppers can easily see it.
-
Disable the HTTP API if you do not need it. See Simple HTTP API.
-
In Data Services, put KeyStores outside a sandbox and run the service on HTTPS. If you have a KeyStore in a sandbox, a user with write permissions could replace it with another KeyStore. HTTPS Connectors.
-
Enable user lockout after repeated failed login attempts. If you use this feature in Cluster, make sure that all Cluster nodes have the same lockout configuration. See User Lockout